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1 Introduction 


In 1987, Schneider presented a general paradigm that provides a single proof of a number of 
fault-tolerant clock synchronization algorithms [1]. His proof was subsequently subjected to the 
rigor of mechanical verification by Shankar [2]. However, both Schneider and Shankar assumed 
a condition Shankar refers to as bounded delay. This condition states that the elapsed time 
between synchronization events (i.e. the time that the local process applies an adjustment to 
its logical clock) is bounded. This property is really a result of the algorithm and should not 
be assumed in a proof of correctness. The purpose of this paper is to remedy this by providing 
a general proof of this property in the context of the general paradigm proposed by Schneider. 
The argument given here is based on the proof of this property for the algorithm of Welch and 
Lynch [3, Section 6]. The notation used is from [2] except where noted. 

2 Clock Definitions 

Any implementation that satisfies the definitions and constraints in Shankar’s report will provide 
the following guarantee [2]. 

Theorem 1 (bounded skew) For any two docks p and q that are nonfaulty at time t, 


\VC p (t)-VC,(t)\<6 


That is, the difference in time observed by two non-faulty clocks is bounded by a small 
amount. This gives the leverage needed to reliably build a fault-tolerant system. This section 
presents tjie definitions and conditions to be met to guarantee this result. Much of it is taken from 
sections 2.1 and 2.2 of Shankar’s report documenting his mechanization of Schneider’s proof [2]. 
Modifications to the conditions needed for this revision of the theory are also presented . 

2.1 Notation 

A fault-tolerant clock synchronization system is composed of an interconnected collection of 
physically isolated clocks. Each redundant clock will incorporate a physical oscillator which 
marks passage of time. Each oscillator will drift with respect to real time by a small amount. 
Physical clocks derived from these oscillators will similarly drift with respect to each other. 
There are two different views of physical clocks relating different perceptions of time. Real time 
will be denoted by lower case letters, e.g. t,s: Var time. Typically, time is taken as ranging over 
the real numbers. Clock time will be represented by upper case letters, e.g. T, S : Var Clocktime. 
While Clocktime is often treated as ranging over the reals [3, 2, 4], a physical realization of a 
clock marks time in discrete intervals. It is more appropriate to treat values of type Clocktime 
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as representing some integral number of ticks. There are two sets of functions associated with 
the physical clocks 1 : functions mapping real time to clock time for each process p, 

PC p : time — ► Clocktime; 

and functions mapping clock time to real time, 

pc p : Clocktime — ► time. 

The intended semantics are for PC p (t ) to represent the reading of p’s clock at real time t, and for 
pCp(T) to denote the earliest real time that p’s clock reads T. By definition, PC p (pc p (T )) = T, 
for all T. We assume nothing about the relationship of pc p (PC p (t)) to t. 

The purpose of a clock synchronization algorithm is to make periodic adjustments to local 
(virtual) clocks to keep redundant clocks within a bounded skew of each other. This periodic 
adjustment makes analysis difficult, so an interval clock abstraction is used in the proofs. Each 
process p will have an infinite number of interval clocks associated with it, each of these will be 
indexed by the number of intervals since the beginning of the protocol. An interval corresponds 
to the elapsed time between adjustments to the virtual clock. These interval clocks are equivalent 
to a process’ physical clock plus an offset. As with the physical clocks, they are characterized 
by two functions: /C‘ : time -f Clocktime; and ic' p : Clocktime — ► time. If we let adj p : Clocktime 
denote the cumulative adjustment made to a clock as of the tth interval, we get the following 
definitions for the »tli interval clock: 

IC' p (t) = PCp(i) + adj' p 
ic' p (T) = pc v (T - adg). 

From these definitions it is simple to show ICp(ic l p (T)) = PC p (pc p (T - adj p )) + adj p — T, for 
all T. Sometimes it is more useful to refer to the incremental adjustment made in a particular 
interval than to use a cumulative adjustment. By letting ADJ p = adj' p +l - adj p we get the 
following equations relating successive interval clocks: 

/c; +1 (t) = ICp(t) + ADPp 
*4 +1 (7’) = iP p (T - ADfp). 

'Shankar’s presentation includes only the mappings from time to Clocktime. The mappings from Clocktime to 
time are added here, because it is a more natural representation for some of the proofs. 
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A virtual clock, VC P : time — ► Clocktime, is defined in terms of the interval clocks by the equation 

VC p (t) = ic;(t), for <t<V p +1 . 

The symbol i x v denotes the instant in real time that process p begins the zth interval clock. Notice 
that there is no mapping from Clocktime to time for the virtual clock. This is because VC P is 
not necessarily monotonic; the inverse relation might not be a function for some synchronization 
protocols. 

Synchronization protocols provide a mechanism for processes to read each others clocks. The 
adjustment is computed as a function of these readings. In Shankar’s presentation, the readings 
of remote docks are captured in function 0J+ 1 : process — ► Clocktime, where 0p +1 (tf) denotes 
process p’s estimate of ry’s ith interval clock at real time t 1 ^ 1 (i.e. /C*(Zp +1 )). Each process 
executes the same (higher-order) convergence function, cfn : (process, (process — > Clocktime)) — ► 
Clocktime, to determine the proper correction to apply. Shankar defines the cumulative adjust- 
ment in terms of the convergence function as follows: 

adj'+ x = cfn(p,Qf')- }>C p (t'+') 
ad jp = 0 . 


The following can be simply derived from the preceding definitions: 

VCp(t^) = ICj+\t?') = cfn(p,Q*') 
lC' p +l (t) = cfn(p, 0* +1 ) + PC p (t) - PCp(V p +l ) 

ADJ'p = cfn(p,Q'p^)-IC;(t; +1 ). 

Using some of these equations and the conditions presented in the next section, Shankar mechan- 
ically verified Schneider’s paradigm. This paper presents a general argument for satisfying one 
of the assumptions of Shankar’s proof. The argument requires some modifications to Shankar’s 
constraints, and introduces a few new assumptions. In addition, some of the existing constraints 
are rendered unnecessary. 

A new constant, 11 : Clocktime, is introduced which denotes the expected duration of a 
synchronization interval as measured by clock time (i.e. in the absence of drift and jitter, 
no correction is necessary for the clocks to remain synchronized. In this case the duration 
of an interval is exactly 11 ticks). We also introduce a collection of distinguished clock times 
S' : Clocktime, such that S' — ill+S° and S° is a particular clock time in the first synchronization 
interval. We also introduce the abbreviation $ p defined to equal zCp(5‘). The only constraints 
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on S' are that for each non faulty dock p, and real times and t 2 , 

(VC v (h) = S') A ( VC p (t 2 ) = S') D = t 2 , 
and there exists some real time t, such that 

VC p (t) = 5*. 

The rationale for these constraints is that we want to unambiguously define a clock time 
in each synchronization interval to simplify the arguments necessary to bound separation of 
good clocks. If we choose a clock time near the instant that an adjustment is applied, it is 
possible that the VC will never read that value (because the clock has been adjusted ahead), or 
that the value will be reached twice (due to the clock being adjusted back). In [3], the chosen 
unambiguous event is the clock time that each good processor uses to initiate the exchange 
of clock values. For other algorithms, any clock time sufficiently removed from the time of 
the adjustment will suffice. A simple way to satisfy these constraints is to ensure for all i, 
S' + A1)J' V < 7p +I < S i+l - Al)r v , where Tj+' = lC' p (t •+’). 


VC pit) 

The reading of ;/s physical clock at real time t. 

pc p (T) 

The earliest real time that p's physical clock 
reads T. 

VC p (t) 

The reading of p's virtual clock at time t. This 
is the logical time used by the system. 


The reading of p's ith interval clock at real time t 

ic' p {T) 

The earliest real time that p's ith interval clock 
reads T. 


The real time that processor p begins the ith 
synchronization interval. 

adjp 

Cumulative adjustment to p’s physical clock up 
to and including t* v . 

ADJ' V 

adj ' v + 1 - adjp 

©p 

An array of clock readings (local to p) such that 
0|,(c/) is p’s reading of q's ith interval clock at t' p . 

cfn(p, 0p +1 ) 

Convergence function executed by p to establish 
correct VC P (/p +1 ). 


Table 1: Clock Notation 


Table 1 summarizes the notation for the key elements required for a verified clock synchro- 
nization algorithm. 
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2.2 The Conditions 

This section introduces the conditions required by Shankar’s mechanical proof of Schneider’s 
Theory. The changes needed for the general extension to the theory are also introduced here. 
The first condition defines initial skew, 6s, which is a bound on the difference between good 
clocks at the beginning of the protocol. 

Old Condition 1 (initial skew) For nonfaulty processors p and q 

\PC p (0)-PC q {Q)\<6 s 


This condition will be replaced by the following; 

New Condition 1 (bounded delay init) For nonfaulty processes p and q 

14 - -Jl < fi 


a constraint similar to the original condition can be easily derived from this new condition 
using the constraint on clock drift. Given suitable constraints on the convergence function, it 
will be shown that for nonfaulty processes p and < 7 , and all i, 

14 - 4| = |»4(5r*') - *c4CS-')l < 

That is, (3 f will be shown to bound the separation of clocks at a particular Clocktime in each 
interval. 

The rate at which a good clock can drift from real-time is bounded by a small constant p . 

Old Condition 2 (bounded drift) There is a nonnegative constant p such that if clock 
p is nonfaulty at time s,s > then 

(1 - p)(s - 0 < PC p (s) - PC p (t) < (1 + p)(s - t) 


This characterization of drift is not quite accurate, and is only valid if Clocktime ranges over 
the rationals or reals. If we treat Clocktime as an integer, the inequality does not hold for all s, 
t , or p. We restate the condition for the mapping from Clocktime to time. To allow for future 
modifications to the theory which allow for recovery from transient faults, we also remove the 
implicit assumption that non-faulty clocks have been so since the beginning of the protocol. 
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New Condition 2 (bounded drift) There is a nonnegative constant p such that if p’s 
clock is nonfaulty during the interval from T to S,(S > T), then 

( S - T)/( 1 + p) < pc p (S) - pCp(T) < (1 +p)(S -T) 


The benefit of changing the lower bound to ( S - T)/(l -f- p) is that we can derive the following 
constraint on the mapping from time to Clocktime: 

(. pc P (S ) - pCp(T))/( 1 + p) < PCp(i>Cp(S )) - PC p {pCp{T)) < (1 + p)(pc P (S) - pc p (T )) 

This is not as strong an assumption as Shankar’s original condition. However, if the unit of time 
is taken to be a tick of Clocktime and Clocktime ranges over the integers, we can then derive the 
following bound on drift that is sufficient for preserving Shankar s mechanical proof (with minor 
modifications): 

l(s - <)/(l + P ) J < 1*C p (s) - PCp(t) < [(1 + p)(s - 01- 

Note that using Shankar’s algebraic relations defining various components of clocks, we can use 
these constraints to bound the drift of any interval clock (ic' p ) for any t. 

The following corollary to bounded drift limits the amount two good clocks can drift with 
respect to each other during the interval from T to S. 

|;>Cp(5) - pc,(S)| < \pcp(T) - pc g (T)| + 2 p(S - T) 

Shankar stated the above corollary with respect to the original formulation of bounded drift. 
We can also derive an additional corollary (this adapted from lemma 2 of [3]). 

l(P r p(^) ~ S) — (pCp(T) - T)| < p\S — T\ 

A similar relation holds for PC. 

Shankar assumes a bound on the duration of the synchronization interval. 

Old Condition 3 (bounded interval) For nonfaulty clock p 

0 ^ r min — ^ ~ J 


The terms r m j n and r m ar are uninstantiated constants. In our formulation, we assume that 
a nominal duration (R) of an interval is determined from the implementation. We set a lower 
bound on R by placing restrictions on the events S'. The term «(/?' + 2A') will be shown to 
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bound ADJ' p for nonfaulty process p. The function a is introduced in condition 11, /?' is a 
bound on the separation of clocks at a particular Clocktime in each interval, and A' bounds the 
error in estimating the value of a remote clock. 

New Condition 3 (bounded interval) For nonfaulty clock p } 

S' + a(f3 f + 2A') < T* 1 < S ,+1 - a(/?' + 2A') 


A trivial consequence is that R > 2 a(/?' + 2A'). Clearly, we can let r mtn = (R - a(/?' + 
2A'))/(1 + p ) and r max = (1 + p)(R + a(/?' + 2A')). The values for A', /?', and a() will be 
determined by the implementation. The constraints on these values will be presented later. 

Shankar and Schneider both assume the following in their proofs. The condition states that 
the elapsed time between two processes starting their ith. interval clock is bounded. This prop- 
erty is closely related to the end result of the general theory (bounded skew), and should be 
derived in the context of an arbitrary algorithm. 

Old Condition 4 (bounded delay) For nonfaulty clocks p and q 


The related property, that for nonfaulty clocks p and q , 

K - 4l < ff 

is proven independently of the algorithm in section 3. This gives sufficient information to prove 
bounded delay directly from the algorithm, however, this proof depends upon the interpretation 
of T p . Two interpretations and their corresponding proofs are given later. 

The next condition states that all good clocks begin executing the protocol at the same 
instant of real time (and defines that time to be 0). 

Old Condition 5 (initial synchronization) For nonfaulty clock p 

t° p = 0 


This is clearly unsatisfiable, and will be discarded. It is used in proving the base case of the 
induction proof which establishes that good clocks are within 6s of other good clocks, immedi- 
ately following applying a correction. A satisfiable condition for that proof is that 
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New Condition 5 (initial synchronization) For nonfaulty clock p 

fC° p (t° p ) = T° 


where 7’° is some constant clock time known to all good clocks (i.e. T° is the clock time in 
the initial state). This just states that all nonfaulty clocks start the protocol at the same 
Clocktime. It is possible that this condition can be eliminated entirely. 

Since we do not want process q to start its (i + l)th clock before process p starts its ith, 
Shankar states a nonoverlap condition 

Old Condition 0 (nonoverlap) 

ft - r min 


This, with bounded interval and bounded delay, ensures that for good clocks p and q, f p < t‘ +1 . 
We restate the condition in terms related to this presentation 

New Condition 6 (nonoverlap) 

ft<(R-a(ft' + 2A'))/(l + />) 


This essentially defines an additional constraint on R\ namely that R > (1 + p)f3 + <*(/ 3' + 2A'). 

All clock synchronization protocols require each process to obtain an estimate of the clock 
values for other processes within the system. Error in this estimate can be bounded, but not 
eliminated. 

Old Condition 7 (reading error) For nonfaulty clocks p and q 

licfr? 1 ) - e' p +i (q)\ < A 


However, in stating this condition an important consideration was overlooked. In some pro- 
tocols, the ability to accurately read another processor’s clock is dependent upon those clocks 
being already synchronized. Therefore, we add a precondition to the condition. Another useful 
observation is that an estimate of a remote clock’s value is subject to two interpretations. It 
can be used to approximate the difference in Clocktime that two clocks show at an instant of 
real time, or it can be used to approximate the separation in real time that two clocks show the 
same Clocktime. 
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New Condition 7 (reading error) For nonfaulty clocks p and q } if \s p s q \ < 0 , 

i. | icM") - ©; +1 (7) I = I - «%*?')) - ('W +1 ) - tciit?')) \ < a 
i(0’ +i (? ) - - (*4(2i +l ) - *4(^ +l ))i ^ A 

3. |(0p +1 (9) - IC'riti*')) - (*4( 5 ‘) _ <c i( 5 ‘))l - A> 


The first clause just restates the existing read error condition to illustrate that the read er- 
ror can also be viewed as the error in an estimate of the difference in readings of Clocktime, 
i.e. the estimate allows us to approximately determine another clocks reading at a particular 
instant of time. The second clause recognizes that this difference can also be used to obtain 
an estimate of the time that a remote clock shows a particular Clocktime. The third clause is 
the one used in this paper; it relates real time separation of clocks when they read 5* to the 
estimated difference when the correction is applied. A bound on this could be derived from the 
second clause, but it is likely that a tighter bound can be derived from the implementation. 
Since the guaranteed skew is derived, in part, from the read error, we wish this bound to be as 
tight as possible. For this reason, we add it as an assumption to be satisfied in the context of a 
particular implementation. 

The remaining constraints are unaltered in this presentation. They are exactly as Shankar 
stated them. The first of these is that there is bound to the number of faults which can be 

tolerated. 

Old Condition 8 (bounded faults) At any time t, the number of faulty processes is at 
most F. 


Synchronization algorithms execute a convergence function cfn(p,9) which must satisfy the 
conditions of translation invariance , precision enhancement , and accuracy preservation irrespec- 
tive of the physical constraints on the system. Shankar mechanically proves that Lamport and 
Melliar-Smith’s Interactive Convergence function [5] satisfies these three conditions [2]. A me- 
chanically checked proof that the fault- tolerant midpoint function used by Welch and Lynch [3] 
satisfies these conditions is presented in [6]. Schneider presents proofs that a number of other 
protocols satisfy these properties in [1]. 

Translation invariance states that the value obtained by adding x to the result of the conver- 
gence function should be the same as adding x to each of the clock readings used in evaluating 
the convergence function. 
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Old Condition 9 (translation invariance) For any function 0 mapping clocks to clock 
values, 

cfn(p, (An : 0{n) + x)) = cfn(p , 0) + x 


Precision enhancement is a formalization of the concept that, after executing the convergence 
function, the values of interest should be close together. 

Old Condition 10 (precision enhancement) Given any subset C of the N clocks with 
\C\ > N — F, and clocks p and q in C, then for any readings 7 and 0 satisfying the conditions 

L for any l in C, ( 7 ^) — 8(C ) | < x 

2 . for any l, m in C , | 7 (^) - 7 (m)| < y 

3 . for any l, m in C, |^(0 — #(m)| < V 
there is a bound tt (x,y) such that 

\cfn(p,i)~ cfn(q,0)\ < tt ( x,y) 


Accuracy preservation formalizes the notion that there should be a bound on the amount of 
correction applied in any synchronization interval. 

Old Condition 11 (accuracy preservation) Given any subset C of the N clocks with 
\C\ > N — F, and clock readings 0 such that for any l and m in C , the bound \0(£)-0(m)\ < x 
holds, there is a bound a(x*) such that for any q in C 

\cfn(p,0) - 0 ( 7 )| < a(x) 


In the course of his proof of Theorem 1, Shankar derives the following additional conditions 
for an algorithm to be verified in this theory. 

1. 7t(2A + 2 [ip, 6s + 2 p(r max + fi) + 2 A) < 6s 

2. 6s + 2/>r max S $ 

3. a(6 s + 2 p(r m ax+fl) + 2A) + A + 2 p(3 < 6 

These prevent trivial bounds for the properties of precision enhancement and accuracy preserva- 
tion . Future plans include revisiting Shankar’s proof to try to improve on these constraints. The 
next section uses the new conditions presented in this section, along with the old constraints on 
the convergence function to provide a general proof of bounded delay. 
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3 A General Solution for Bounded Delay 


Schneider’s schema assumes that \t p - V q \ < /3 for good clocks p and q , where ^ denotes the real 
time that clock p begins its tth interval clock (this is condition 4 in Shankar’s presentation). 
Anyone wishing to use the generalized proof to verify an implementation correct must prove that 
this property is satisfied in the context of their implementation. In the case of the algorithm 
presented in [3], this is a non- trivial proof. 

The difficulty stems, in part, from the inherent ambiguity in the interpretation of in 
the context of an arbitrary algorithm. Relating the event to a particular clock time is difficult 
because it serves as a crossover point between two interval clocks. The logical clock implemented 
by the algorithm undergoes an instantaneous shift in its representation of time. Thus the local 
clock readings surrounding the time of adjustment may show a particular clock time twice, or 
never. The event l'+ v is determined by the algorithm to occur when IC p (t) = 7J+ 1 , i.e. T p + l 
is the clock time for applying the adjustment ADJ x p = (adj** 1 - adj l p ). This also means that 
4 +1 = ic l p (T p + l ). In an instantaneous adjustment algorithm there are at least two possibilities: 

1. Tf l = (i+ I)J2 + T°,or 

2. r; +1 = (i + l)R + T° - ADJ' r 

A more stable frame of reference is needed for bounding the separation of events. Welch and 
Lynch exploit their mechanism for reading remote clocks to provide this frame of reference. Every 
clock in the system sends a synchronization pulse when its virtual clock reads S x = iR + 5°, 
where ,9° denotes the first exchange of clock values. Let s x p denote the earliest real time that 
IC p (t) — S l . If we ignore any implied interpretation of event s p , and just select S x which satisfy 
condition 3 we have sufficient information to prove bounded delay for an arbitrary algorithm. 

The general proof follows closely the argument given in [3]. The proof adapted is that of 
Theorem 4 of [3, section 0]. We wish to prove for good clocks p and q that \t p - t x q \ < ft. To 
establish this we first prove the following: 

Theorem 2 (bounded delay offset) For nonfaulty clocks p and q , and for i > 0. 

(a) If i > 1, then \ADr p y \ < a(/?' + 2A'). 

(t>) 14 - 4 1 ^ 

Proof: By induction on i. The base case (i = 0) is trivial; part (a) is vacuously true and (b) is 
true by assumption. 

Assuming that (a) and (b) arc true for i we proceed by showing they hold for i + 1 
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(a) 

We begin by recognizing that (a) is an instance of accuracy preservation. ADJ^ +1 ^ 1 = adjp +1 - 
adji = c/n(p, 0j, +1 ) - IC t p (t i + l ). Since JC’*(4 +1 ) = ©p + 1 ( 7 >) (no error in reading own clock), we 
have an instance of accuracy preservation: 

|c/»(p,0;+ 1 )-0* +1 (p)I <«(*)• 

All that is required is to show that ft' + 2 A' substituted for x satisfies the hypotheses of accuracy 
preservation. 

We need to establish that for good C, in, 

i0; +, (o-0p + V)i <ft'+w 


We know from the induction hypothesis that for good clocks p and < 7 , 


- 4 = K(s i ) 


< (S') 1 < & 


Using reading error and the induction hypothesis we get for nonfaulty clocks p and q 


|(0‘ +1 (<?) - IC*(t* 1 )) - (»c‘(5*) - ic*(5-))| < A' 


We proceed as follows: 


i©p + 1 (^) - ©p +1 ( m )i 

= |(0; +1 (O - 0' +, (m)) + (ic;(t^) - /cj(ij+»)) 

+ (*4(5*) - *4(S‘)) + (*4(5-) - tc*(5‘)) + (<(S‘) - *4(S‘))l 

< |»c|(5*) - i'4(5‘)l + l(©j, +1 W - /cj(4 +1 )) - ( ic p(S‘) - *4(S4)I 
+ |(0' +, (m) - /(7‘(4 +1 )) - (*Cp(S') - *4(S'))| 

< ft’ + 2A' 


We get the last step by substituting t and m for p and 9 respectively in the induction hypothesis, 
then using reading error twice, substituting first t for q and then m for q. 


(b) 

All supporting lemmas introduced in this section implicitly assume both the induction hypothesis 
and part (a) for i + 1. In Welch and Lynch’s presentation they introduce a variant of precision 
enhancement. We restate it here in the context of the general protocol: 
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Lemma 1 For good clocks p and q, 


| (*4(.V f ) - ic:,(S')) - (ADJ' V - ADJ\)\ < 7r(2A' + 2,/?' + 2A') 

Proof: We begin by recognizing that AI)J‘ p = cfn(p, (Af.0p +1 (f) — 7Cp(tp +1 ))) (and similarly 
for ADJ' q ). A simple rearrangement of the terms give us 

| (i^S*) -&,(#)) AD J\)\ 

= \( ADJ), - ic' p (S')) - ( ADJ\ - ic'(5 i ))l 

To use translation invariance, wo first need to convert the terms ic' p (S') and ic‘(S‘) to Clocktime. 
We do this via the integer floor and ceiling functions. Without loss of generality, assume that 
(ADJ‘ p - ic p {S')) > (ADf q - fc*( 5 ‘)). 

\(ADJi-ic),(S i ))-(ADJ' q -ici l (S i ))\ 

< \{ADr p - L*4(^)J) - (ADJ*' - K(^)l)l 

= \cfn(p,(Xe.Q^\e) - 1C' P (1'+ 1 )- K(.S-)J)) - cfn(q,( Xt.Gf'il) - IC' q (t?') - r»c*(5‘)l))| 

All that is required is to demonstrate that if (Af.0p +1 (f) - IC p {i'+^) - [*Cp(5‘)J) = 7 and 
(Af.0^ +1 (f) - IC q (V q +1 ) - ftc*(A , ‘)l) = 0, they satisfy the hypotheses of precision enhancement. 
We know from reading error and the induction hypothesis that 

|(0;+V) - 1C ' P (/;+*)) - (>>;(.S") - tc*(5'))| < A' 

To satisfy t he first hypothesis of precision enhancement we notice that 

|(A£.0; +1 (f) - fC , ‘(/; +1 ) - K(5*)J)(f) - (A£.0* +, (f) - /C*(4+ 1 ) - ric*(S i )D(f)| 

= l(0‘ +, (O - ) - Him- (0; +1 (f) - r*c‘(5‘)l)| 

= - IC' p (li+ 1 )) - (K(,V‘)J - *cj(5‘))) 

-((0‘ +1 (O - IC' q (t?')) - (r*c«(5‘)l - icj(5 i )))| 

< 2A' + 2 

Therefore, we can substitute 2A' + 2 for x to satisfy the first hypothesis of precision enhancement. 

To satisfy the second and third hypot hesis we proceed as follows (the argument presented is 
for (Af.0)+‘(O - IC‘ p (l' p +l ) - |_«c*(A’*)J) = 7). We need a y such that 

l(Af.0* +l (O - iqitf 1 )- - (Af.o; +1 (f) - iqxtf 1 ) - K(S‘)J)(™)I < y . 
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We know that 


|(A£.0*+ 1 (O - /c* «•+*)- K(^) JMO - (^0; +1 «) - ICW') - K(5')J)(m)| 

= \(0«\£) - IC' V (1' P +1 ) - K(5‘)J) - (©|, +1 (m) - /Cj(<i +1 ) - IK(S') j) 

= |0* +1 (O-©i +, M- 

The argument in part (a) shows that this value is bounded by /?' + 2A' which is the desired y 
for the remaining hypotheses of precision enhancement. ■ 

Now we bound the separation of ic'+ ] (T) and *cj ( +1 ('i ) for all T. 

Lemma 2 For good clocks p und q, and clock time T, 

|4 +1 C0 - »c^ +I (T)| < 2p(|T - 5*| + a(/?' + 2A')) + 7r(2A' + 2,(3' + 2A') 

Proof: The proof is taken verbatim (modulo notations! differences) from [3, Lemma 10]. 

Note that 4 +1 (T) = 4 (T - ADJ* p ) and ic\+'(T ) = tc*(T - ADJ\). Now 

K+'m-ic+nn 

< | *4(T - ADJ' p ) - *4(5**) - (T - ADJ' p - 5*)| 

+ |4(T - ADJ\) - 4(5*) - (T - ADJ\ - 5*)| 

+|(4(5‘)- 4(5*)) -{ADJ' p -ADJ\)\ 

The three terms are bounded separately. By the second corollary of bounded drift we get 

14(7’ - ADJ' p ) - 4(5’) - ( T - ADJ'p - 5*)| 

< p\T — S % — ADJ p \ 

< p(\T - S'\ + a(() f + 2 A')), from part (a) for i + 1. 

The second term is similarly bounded. Lemma 1 bounds the third term. Adding the bounds 
and simplifying gives the result. * 

This loads to the desired result: 

Lemma 3 For good clocks p and q, 

| 3 j+ l - *; +1 | < 2 p(R + a(/J' + 2A')) + ^r(2A / + 2,/?' + 2A') < & 
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Proof: This is simply an instance of Lemma 2 with S ,+1 substituted for T. m 

This completes the proof of Theorem 2. Algebraic manipulations on the inequality 

2 p(ll + *(ff + 2A')) + tt(2A' + 2, /?' + 2A') < /?' 

give us an upper bound for R. 

3.1 Relationship to Shankar’s Mechanical Proof 

We begin by noticing that both instantaneous adjustment schemes presented in this paper allow 
for a simple derivation of a j3 that satisfies the condition of bounded delay. These are sufficient 
to establish condition 4. Notice that knowledge of the algorithm is required in order to fully 
establish this property. 

1. When T;+‘ = (i + 1)11 + T [ \ let fi = fi' + 2p(T^ ] - S { ). 

2. When T^ x = (i +1)11 + T° - A1)J j,, lot /? = /?'- 2p(S i - IC 

This implies that all down stream proofs need not he altered. However, it is possible that some 
bounds and arguments can be improved. This leaves us with a set of conditions which are much 
easier to satisfy for a particular implementation. A proof that an implementation is an instance 
of this extended theory requires the following: 

• Prove the properties of translation invariance, precision enhancement and accuracy preser- 
vation for the chosen convergence function. 

• Identify data structures in the implementation which correspond to the aJgebraic defini- 
tions of clocks. Prove that the structures used in the implementation satisfy the definitions. 

• Prove that the implementation correctly executes a variation of the following algorithm: 

i 0 

do forever { 

exchange clock values 
determine adjustment for this interval 
determine T ,+ l (local time to apply correction) 
when IC l (t) = 7 n+1 apply correction; i <— i + 1 

} 

• Prove the new condition of read error in the context of the algorithm. 

• Solve the four (three from [2], one from above) derived inequalities using values determined 
from the implementation. 
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• Prove correct a mechanism for establishing initial synchronization (|a® - *j}| < /?')• Ensure 
that /?' is as small as possible within the constraints of the aforementioned inequalities. 

• If the protocol does not behave in the manner of either instantaneous adjustment option 
presented in this paper, it will be necessary to use another means to establish Vi :\t' p -t' g \< 
(1 from Vi : |*p — sj ; | < ft 1 • 

3.2 Ell DM Proofs of Bounded Delay 

The Eh DM (version 5.2) proofs and supporting definitions and axioms are in the modules delay, 
delay2, delay3 and delay4. 1AT E X formatted listings of these modules are in the appendix. 2 
Some of the revised constraints presented in section 2 are in module delay. The most difficult 
aspect of the proofs was determining a reasonable predicate to express nonfaulty clocks. Since 
we would like to express transient fault recovery in the theory, it is necessary to avoid the 
axiom correct-closed from Shankar’s module clockassumptions 3 The notion of non-faulty clocks 
is expressed by the following from module delay. 

correct-during: function [process, time, time -* bool] = 

(\p,t,s : t < s A(V<! : t < <i A <0 corrector, < t ))) 
wpred: function [event -*■ function[process -*• bool]] 
rpred: function [event — function [process -+ bool]] 
wvr_pred: function [event -»■ function [process ->■ bool]] = 

( A i : ( A p : wpred(t)(p) V rpred(t)(p))) 

wpred.ax: Axiom count(wpred(i), N) > N - F 

wpred_correct: Axiom wpred(i)(p) D correct_during(p, tp, tp ) 

wpred-preceding: Axiom wpred(t + 1 )(p) D wpred(i)(p) V rpred(i)(p) 

wpred.rpred.disjoint: Axiom -.(wpred(t)(/>) A rpred(i)(p)) 

wpred-bridge: Axiom 

wvr_pred(t)(p) A correct.duringlp,/^ 1 ,/^ 2 ) D wpred (i + 1 ){p) 

Also, module delay3 states the following axiom: 

recovery-lemma: Axiom 

delay _pred(i) A ADJ_pred(i + 1) 

A rpred(t)(p) A correct_during(p, l? 1 ,# 2 ) A wpred(i + l)(q) 

D|4 +1 -5-+ 1 |</3' 


2 A slightly modified version 
completeness. 

3 This axiom has not yet been 


of Shankar’s module clockassumptions is also included in the appendix for 
removed from the general theory. None of the proofs of bounded delay offset 


depend on it, however. 
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There are two predicates defined, wpred and rpred. Wpred is used to denote a working dock, i.e. 
it is not faulty and is in the proper state. Rpred denotes a process that is not faulty, but has not 
yet recovered proper state information. Correct is a predicate taken from Shankar’s proof which 
states whether or not a clock is fault-free at a particular instance of real time. Correct-during is 
used to denote correctness of a clock over an interval of time. In order to reason about transient 
recovery it is necessary to provide an rpred that satisfies these relationships. If we do not plan 
on establishing transient recovery, let rpred(z') = (A p : false). In this case, axioms recoveryJemma 
and wpred_rpred_disjoint are vacuously true, and the remaining axiom are analogous to Shankar’s 
correct-closed. This reduces to a system in which the only correct clocks are those that have 
been so since the beginning of the protocol. This is precisely what should be true if no recovery 
is possible. 

The restated property of bounded drift is captured by axioms RATE.l and RATE.2. The new 
constraints for hounded interval are rts_new.l and rts_new_2. Bounded delay init is expressed by 
bnd.delayJnit. The third clause of the new reading error is reading.error3. The other two clauses 
are not used in this proof. An additional assumption not included in the constraints given in 
section 2 is that there is no error in reading your own dock. This is captured by read-self. 
In addition there were a few assumptions included defining interrelationships of some of the 
constants required by the theory. 

The statement of Theorem 2 is bnd_delay_offset in module delay2. The main step of the 
inductive proof for part (a) is captured by good-Readclock. This, with accuracy preservation was 
sufficient to establish bnd_delay_offset _ind_a. Part (b) is more involved. Lemma delay_prec-enh in 
module delay2 is the machine checked version of lemma 1. Module delay3 contains the remaining 
proofs for part (b). Lemma 2 is presented as bound_future. The first two terms in the proof 
are bounded by lemma bound_futurel, the third by delay-prec.enh. Lemma bound.FIXTIME 
completes the proof. 

Module delay4 contains the proofs that each of the proposed substitutions for (3 satisfy 
the condition of bounded delay. Option 1 is captured by optionl.bounded-delay, and option 2 is 
expressed by option2_bounded_delay. The Ell DM proof chain status, demonstrating that all proof 
obligations have been met, can be found in the appendix. The task of mechanically verifying 
the proofs also forced some minor revisions to some hand proofs in an earlier draft of this paper. 
The errors revealed by the mechanical proof included invalid substitution of reals for integers, 
and arithmetic sign errors. 
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4 Concluding Remarks 

This paper presents a mechanically confirmed proof for satisfying the condition bounded delay 
in the context of an arbitrary clock synchronization algorithm. The general theory presented 
by Schneider (and mechanically verified by Shankar) assumes this property. However, for some 
clock synchronization algorithms, the difficulty of the proof required to establish this property 
is comparable to that of directly proving the algorithm correct. If we wish to use Schneider’s 
paradigm to simplify the verification of clock synchronization systems, a general proof of bounded 
delay is required. The proof given by Welch and Lynch for a related property was generalized 
and recast in the context of Schneider’s general theory. In addition, changes to the underlying 
assumptions of the theory were given. These changes should ease the task of satisfying the 
assumptions in the course of verifying an implementation. The proofs presented here were 
sufficient to convince Ell DM that the property of bounded delay can be satisfied in a general 
manner. Furthermore, Shankar’s mechanically checked proofs still hold for the modified theory 
(modulo minor changes). It is possible that reworking Shankar’s proofs using the new constraints 
will yield better bounds on the derived constraints. 
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A Proof Chain Status 

Terse proof chains for module delay4 

Use of the formula 

delay .RATE. lemmal.iclock 
requires the following TCCs to be proven 
delay.tcc . RATE.2.TCC1 
delay.tcc . RATE.2_iclock.TCCl 
delay.tcc . rate.simplif y.TCCl 

Use of the formula 
division . div.ineq 

requires the following TCCs to be proven 
division.tcc .mult.div.l.TCCl 
division.tcc .mult.div.TCCl 
division.tcc . div.cancel.TCCl 
division. tcc . ceil.mult_div.TCCl 
division.tcc . div.nonnegative.TCCl 
division.tcc . div.ineq.TCCl 
division.tcc . div.minus_l.TCCl 

Use of the formula 

delay2 .bnd. delay. of f set 
requires the following TCCs to be proven 
delay2.tcc.ADJ_pred.TCCl 
delay2_tcc . AD J_pred_TCC2 

Use of the formula 

nat induct ion. induction 
requires the following TCCs to be proven 
nat induction. tcc . ind.m. proof _TCC1 

Use of the formula 

noetherian[naturalnumber , nat induction . less] .general. induct ion 
requires the following assumptions to be discharged 

noetherian[naturalnumber , nat induct ion. less] . well.founded 

SUMMARY 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockassumptions . IClock.def n 
clockassumpt ions . accuracy.preservation.ax 
clockassumptions .precision. enhancement. ax 
clockassumptions .rho.O 
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clockassumptions .translation. invariance 

delay. RATE. 1 
delay .RATE. 2 
delay. R.FIX.SYNC.0 
delay .bnd. delay. init 

delay .fix.between. sync 

delay . read. self 
delay . reading_error3 
delay .rts.new.l 
delay .rts. new. 2 
delay . synctime. def n 
delay .wpred. ax 
delay . wpred. correct 
delay . wpred.preceding 
delay3 .betaprime.ax 
delay3 . recovery. lemma 
del ay 4 . optionl.alg 
delay4 . option2.alg 
division .mult. div.l 
division .mult .div. 2 
division .mult. div. 3 

floor. ceil . ceil.defn 
f loor. ceil .floor. defn 
mult iplicat ion. mult. non.neg 

mult iplicat ion. mult .pos 

noetherianCEXPR. EXPR] .general. induct ion 
Total: 30 

The definitions and type-constraints are: 
absmod . abs 
clockassumptions . Adj 
clockassumptions .okay.Readpred 
clockassumptions .okay.pairs 
delay .ADJ 
delay .FIXTIME 
delay . correct.during 
delay .fixtime 
delay . iclock 
delay2. ADJ.pred 
delay2. delay _pred 
delay3 .good.interval 
multiplication. mult 

Total: 13 

The formulae used are: 
absmod. abs_3_bnd 
absmod . abs.com 
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absmod . abs.geO 

absmod . abs.plus 

delay . ADJ.leml 

delay . ADJ.lem2 

delay . FIXTIME.bound 

delay .RATE. 1. iclock 

delay .RATE. 2_simplify 

delay .RATE.2. simplify. iclock 

delay . RATE.lemmal.iclock 

delay . RATE.lemmal.iclock.sym 

delay . RATE.lemma2 

delay . RATE. Iemma2_ iclock 

delay .Rllhack 

delay . correct.during.hi 

delay .correct_during.sub.left 

delay . correct.during. sub. right 

delay . correct.during.trans 

delay . diff. squares 

delay . iclock. ADJ.lem 

delay . iclock. def n 

delay .mult. abs. hack 

delay .mult. assoc 

delay .rate. simplify 

delay . rate.simplif y.step 

delay . wpred.f ixt ime 

delay . wpred.f ixt ime. low 

delay . wpred. hi. lem 

delay2 . AD J.hack 

delay2 . abs.hack 

delay2.absceil 

delay2.absf loor 

delay2 . abshack2 

delay2 . abshack3 

delay2 . abshack4 

delay2 . abshackS 

delay2 . abshack6a 

delay2 . abshack6b 

delay2 . abshack7 

delay2.bnd.delay_off set 

delay2 .bnd. delay. of fset.O 

delay2 .bnd.delay.of f set.ind 

delay2 . bnd.delay.of f set.ind. a 

delay2 . bnd.delay.of f set. ind.b 

delay2 . ceil. hack 

delay2 . delay.prec.enh 

delay2 . delay.prec.enh. stepl 

delay2 . delay.prec.enh. stepl. sym 
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delay2 . f loor.hack 

delay2 . good.ReadClock 

delay2.prec_enh.hypl 

delay 2 .prec_enh_hyp _2 

delay2 . prec_enh_hyp_3 

delay2_tcc . AD J.pred.TCCl 

delay2_tcc . AD J_pred_TCC2 

delay3 . AD J.bound 

delay3 . Alpha_0 

delay3.R_0.hack 

delay 3 . R_0_lem 

delay3 . abs_0 

delay3.abs_minus 

delay3 . abshack 

delay3 . abshack2 

delay3 . abshack.f uture 

delay3 .bound.FIXTIME 

delay3 .bound_FIXTIME2 

delay3 .bound.f uture 

delay3 .bound.f uturel 

delay3 .bound.futurel.step 

delay3 ,bound_futural_step_a 

delay3 .bound_futural_step_b 

delay3 . delay.of f set 
delay3 . good. inter val.lem 
delay4 . option 2 _convert_lemma 
delay4 . option 2 _good_interval 
delay.tcc . RATE.2.TCC1 
delay.tcc .RATE_2.iclock.TCCl 
delay.tcc . rate.simplif y.TCCl 
division . div.cancel 
division. div.ineq 
division. mult _div 
division.tcc . ceil.mult.div.TCCl 
division.tcc . div.cancel.TCCl 
division.tcc . div.ineq.TCCl 
division.tcc. div .minus. 1.TCC1 
division.tcc . div.nonnegative.TCCl 
division.tcc. mult.div.l.TCCl 
division.tcc .mult.div.TCCl 
multiplication. distrib 
multiplication . distrib.minus 
multiplication.mult.com 
multiplication .mult.gt 

mult iplicat ion. mult .Idistrib 

multiplication .mult.ldistrib.minus 
mult iplicat ion. mult _leq_2 
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multiplication .mult _lident 
multiplication ,mult_rident 
multiplication .pos.product 

natinduction. induction 
natinduction.tcc . ind_m_proof _TCC1 

noetherian[naturalnumber, natinduction. less] ,well_f ounded 

Total: 102 

The completed proofs are: 
absmod . abs_3_bnd_proof 
absmod . abs_com_proof 
absmod . abs_geO_proof 
absmod . abs_plus_pr 
delay . ADJ_leml_pr 
delay . AD J_lem2_pr 
delay . FIXTIME.bound.pr 
delay . RATE_l_iclock_pr 
delay .RATE_2_simplify_iclock_pr 
delay . RATE_2_s impl if y_pr 
delay . RATE_lemraal_iclock_pr 
delay . RATE_lemmal_iclock_sym_pr 
delay .RATE_lemma2_iclock_pr 
delay . RATE_lemma2_pr 
delay .Rllhack.pr 
delay . correct_during_hi_pr 
delay . correct_during_sub_lef t_pr 
delay . correct_during_sub_right_pr 
delay . correct_during_trans_pr 
delay . dif f _squares_pr 
delay . iclock_ADJ_lem_pr 
delay . iclock.def n_pr 
delay .mult_abs_hack_pr 
delay .mult_assoc_pr 
delay . rate.simplif y_pr 
delay . rate_simplif y_step_pr 
delay .wpred.f ixtime_low_pr 
delay .wpred.f ixtime.pr 
delay .wpred_hi_lem_pr 
delay2 . AD J_hack_pr 
delay2 . abs.hack.pr 
delay2 . absceil.pr 
delay2 . absf loor_pr 
delay2 . abshack2_pr 
delay2 . abshack3_pr 
delay2 . abshack4_pr 
delay2 . abshack5_pr 
delay2 . abshack6a_pr 
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delay2 . abshack6b_pr 

delay2 . abshack7_pr 

delay2 . bnd.del.of f _0_pr 

delay2.bnd_del_off_ind_a_pr 

delay2 .bnd.delay_offset_ind.pr 

delay2.bnd_delay_offset_pr 

delay2 . ceil_hack_pr 

delay2 . delay _prec_enh_pr 

delay2 . delay_prec_enh_stepl_pr 

delay2 . delay _prec_enh_stepl_sym_pr 

delay2 . f loor.hack.pr 

delay2 . good_ReadClock_pr 

delay2 .prec.enh.hypl.pr 

delay2 . prec_enh_hyp_2_pr 

delay2 . prec_enh_hyp_3_pr 

delay2_tcc . ADJ.pred.TCCl.PROOF 

delay2_tcc . ADJ_pred_TCC2_PR00F 

delay3 . ADJ.bound.pr 

delay3 . Alpha_0_pr 

del ay 3 . R_0_hack_pr 

delay3.R_0_lem_pr 

delay3 . abs_0_pr 

delay3 . abs_minus_pr 

delay3 . abshack2_pr 

delay3 . abshack.f uture.pr 

delay3 . abshack.pr 

delay3.bnd_delay_offset_ind_b_pr 

delay3 . bound_FIXTIME2_pr 
delay3 . bound.FIXTIME.pr 
delay3.bound_futurel_pr 
delay3 .bound_futurel_step_a_pr 
delay3.bound_futurel_step_b_pr 
delay3.bound_futurel_step_pr 
delay3 . bound.f uture.pr 
delay3 . delay.of f set.pr 
delay3.good_interval_lem_pr 
delay4 . optionl_bounded_delay_pr 
delay4 . opt ion2_bounded_delay_pr 
delay4 . option2_convert _lemma_pr 
delay4 . option2_good_ interval.pr 
division . div_cancel_pr 
division . div_ineq_pr 
division .mult.div.pr 

division.tcc . ceil_mult_div_TCCl_PROOF 
division.tcc . div_cancel_TCCl_PROOF 
division.tcc . div_ineq_TCCl_PROOF 

division.tcc .div_minus_l_TCCl_PROOF 
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divi s ion. t cc .div.nonnegative.TCCl .PROOF 
division.tcc .mult .div.l.TCCl. PROOF 
di vision. t cc .mult. div.TCCl. PROOF 
mult iplicat ion. dist rib. minus. pr 
multiplication .distrib.proof 
mult iplicat ion. mult.com.pr 
mult iplicat ion. mult. gt.pr 
mult iplicat ion. mult .ldistrib.minus. proof 
mult iplicat ion. mult. ldistrib. proof 
mult iplicat ion. mult. leq_2_pr 
multiplication .mult. lident. proof 
multiplication .mult .rident .proof 
multiplication .pos.product.pr 
nat induction . discharge 
nat induction. ind. proof 
natinduction.tcc . ind.m.proof.TCCl. PROOF 
tcc.delay . RATE. 2. TCC1. PROOF 
tcc. delay .RATE_2.iclock.TCCl. PROOF 
tcc.delay . rate. simplify. TCC1. PROOF 
Total: 104 
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B B-TgK Formatted Listings 

clockassumptions: Module 
Using arith, countmod 
Exporting all with countmod, arith 
Theory 
N: nat 

N_0: Axiom N > 0 

process: Type is nat 

event: Type is nat 

time: Type is number 

Ciocktime: Type is integer 

/,m,n, 7 >,</,Pi,P 2 , 9 i» 92 iP 3 » 93 ; Var P rocess 

t, j, k: Var event 

x, y, z, r, s, t: Var time 

X, Y, Z, R, S , T: Var Clocktime 

7,0: Var function [process — *■ Clocktime] 

6,p,r min ,r max ,P: number 
A,p: Clocktime 

i , C,i(*2), VC*i(*2): function[process,time —* Clocktimej 
t*?: function [process, event — ♦ time] 

0*2 ; f U nction[process, event — function [process -* Clocktimej] 
/(7*2(*3) : function[process, event, time — ♦ Clocktime] 
correct: functionfprocess, time — ► bool] 

cfn: function [process, function [process Clocktime] — Clocktime] 
tt: functionfnumber, number -» number] 
cx\ function[number — * ► number] 

delta-0: Axiom 6 > 0 
mu-0: Axiom p > 0 
rho-0: Axiom p > 0 
rho-1: Axiom p < 1 
rmin.O: Axiom rmm ^ 0 
rmax-0: Axiom Tmax ^ ® 
beta-0: Axiom /3 > 0 
lamb-0: Axiom A > 0 

init: Axiom correct(p, 0) D PC p (0) > 0 A 1 C P (0) < p 
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correct-closed: Axiom s > t A correct(/>, $) D correct(p, t) 

rate_l: Axiom correct(p, «s) A s > t D PC p ( S )-PC p (t)<\(s-t)*(l+ P )) 

rate_2: Axiom correct^, s) A s > t D PC p (s) — PC p (t) > [(5 — t) ★ (1 — p) J 

rtsO: Axiom correct (p,t) A / < /J+ 1 D t - t l p < r max 

rtsl: Axiom correct(/>, /) A / > /J+ 1 D t - t p > r m ,* n 

rtsJ): Lemma correct {p,t p +l ) D ^ < r max 

rts_l: Lemma correct(p, /p +1 ) D t J, +1 — ^ > r min 

rts2: Axiom correct(p,/) A t > t.^ + (3 A correct(<y, 2) D t > t p 

rts-2: Axiom correct (p,t p ) A correctly, i^) D l* } - t l q < j} 

synctime_0: Axiom t® = 0 

VCIock.defn: Axiom 

correct^;, f) A t > t' p A t < t l + x D V C p (t) = fC l p (t) 

function [process, event — ► Clocktime] = 

( A p, i : ( if i > 0 then cfn(p, 0J f ) - PC p (t l p ) else 0 end if)) 

ICIock.defn: Axiom correct (/>,/) D /C*(f) = + a 4?p 

Readerror: Axiom correct(;>, t x ^ 1 ) A correct(ry, <p +1 ) 

=> |0j, +1 (?)-/c;(^ +1 )|< a 

translation_invariance: Axiom 

cfn(p, ( Xpi -* Clocktime : 7 (pi ) + X)) = cfn(p, 7) + X 

ppred: Var function [process — ► bool] 

F: process 

okay-Readpred: function[function[process — > Clocktime], number, 

functionfprocess — ► bool] — * bool] = 

( A 7,1/, ppred : (V/,m : ppred(7) A ppred(m) 3 |7(0“ 7(™)l < y)) 
okay-pairs: function[function[process — * Clocktime], 

function [process — ► Clocktime], number, 
function [process — ► bool] — ► bool] = 

( A 7, 9, x, ppred : ( V p 3 : ppred(;> 3 ) D |7(/> 3 ) - 0{p z ) | < x)) 

N-maxfaults: Axiom F < N 

precision_enhancement.ax: Axiom 
count(ppred, N) > N — F 

A okay-Readpred(7, y , ppred) 

A okay_Readpred(0, y , ppred) 

A okay_pairs(7, 0, x, ppred) A ppred(;>) A ppred(g) 

D \cfn(p,j)~ cfn(q,0)\ < tt (x,y) 
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correct-count: Axiom count(( A p : correct (p, t)), N)> N F 

okay.Reading: function[function[process -*■ Clocktime], number, time 

— ► bool] = 

( A7,iM : ( Vpi,9i : 

correct(pi,0 A correct^] , t) 3 ~ 7('7i)l < V)) 

okay.Readvars: function [function [process — ♦ Clocktime], 

function[process — * Clocktime], number, time 
— + bool] = 

( A 7,0, a:, t : ( Vp 3 : correct (7)3 , 0 3 It(P3) - Kp*)\ ^ x )) 

okay-Readpred.Reading: Lemma 

okay.Reading(7, y , <) 3 okay.Readpred(7, y, ( A p : correct(p, <))) 

okay-pairs.Readvars: Lemma 

okay_Readvars(7,0,x,/) 3 okay.pairs(7, 0, x, ( \p : correctfp, i))) 

precision-enhancement: Lemma 
okay-Reading(7, y, <p +1 ) 

A okay.Reading(0, y, *p +l ) 

A okay_Readvars(7,0,x, /p +1 ) 

A correct(p, t l p +i ) A correctly, <p +1 ) 

3 |c/n(jA7)- cMq,0)\ < 


okay.Reading-defn.lr: Lemma 

okay.Reading(7,2/,0 ^ . . , . M , 

3 (Vpi,9i : correct^,/) A correct(<7i,f) 3 |7(Pi) “ 7(<7i)l S 2/) 

okay.Reading.defn.rl: Lemma 

( Vpi,i/i : correct A correct(ryi , <) 3 |7(7>i) - 7(fli)l ^ V) 

D okay_Reading(7 , y, t) 


okay-Readvars-defn.lr: Lemma 

okay.Readvars(7, 0, x, t) 3 ( V p 3 : correct (p3, <) 3 |7(7^a) - ^(Pa)! < x ) 
okay-Readvars-defn.rl: Lemma 

(Vp 3 : correct(p 3 ,0 3 \l (p:i) - *(j*)| < *) 3 okay.Readvars( 7 , 0, x, t) 

accuracy.preservation.ax: Axiom 

okay.Readpred(7,x,ppred) Acount(ppred,/V) > N — F A ppred(p) A ppredfq) 

3 |c/n(p,7) - 7( f /)l < a ( x ) 


Proof 


okay-Reading-defn.rLpr: Prove 

okay.Reading.defn.rl {711 *— y>i@PlS, ryi 


ryi@PlS} from okay.Reading 


okay.Reading.defn.lr.pr: Prove okay.Reading-defn.lr from 
okay.Reading {pi *— pi@CS, 71 <— ryi@CS) 
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okay_Readvars_defn_rl_pr: Prove okay_Readvars-defn_rl {/j 3 <— P3@P1S} from 
okay_Readvars 

okay-Readvars_defn Jr..pr: Prove okay.Readvars.defn Jr from 
okay.Readvars {p 3 «— p 3 @CS} 

precision_enhancement_pr: Prove precision-enhancement from 
precision_enhancement_ax {ppred <— ( A q : correct(<7,/p +1 ))} f 
okay_Readpred_Reading {t <— 
okay.Readpred-Reading {/ <— /p +1 , 7 <— 9 } t 
okay_pairs_Readvars {t <— 
correct_count {t <— /J+ 1 } 

okay-Readpred-Reading_pr: Prove okay_Readpred_Reading from 
okay-Readpred {ppred <— ( A p: correct(p, t))}, 
okay_Reading {pi IUPIS, q\ m@PlS} 

okay.pairs-Readvars_pr: Prove okay.pairs.Readvars from 

okay-pairs {ppred <— ( A p : correct(p, <))}. okay.Readvars {p 3 +- p 3 @PlS} 

rtsJLproof: Prove rts _0 from rtsO {t <— /J+ 1 } 

rts_l_proof: Prove rts_l from rtsl { t 
End clockassumptions 
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delay: Module 

Using arith, clockassumptions 
Exporting all with clockassumptions 


Theory 


/), < 1 , ]>i , <7i : Var process 
i: Var event 
X,S,T: Var Clocktime 
s,t,t u h- Var time 

7: Var function[process — *• Clocktimej 

(}': number 

11, A': Clocktime 

ppred, ppredl: Var function [process - boolj 

.S’°: Clocktime n , a0\ 

5*1 : function[event Clocktime] = ( A 1 .1* 11 + h ) 
pc ,(* 2 ): function [process, Clocktime -* ’time] 

tc*i(* 3 ): function[process, event, Clocktime -+ time] - 

*(\p,i,T:pc p {T-adj;)) 

5*2; function[process, event -*■ time] - (Xp,i ■ tc p (b )) 
r°: Clocktime 

7**2 ; function[process, event — ► Clocktime] 
synctime-defn: Axiom — ^ c p(Tp ) 


synctimeO-defn: Axiom tp l^pi^ ) 
correct-during: function [process, time, time - bool] = 

< s A(Vt, :t<h AU <0 correct(p,h))) 

wpred: function[event — function[process -*• bool]] 
rpred: function [event -*• function [process -*■ bool]] 
wvr_pred: function[event -+ function [process -» bool]] - 

( A i : ( A p: wpred(t)(p) V rpred(i)(p))) 

wvr.defn: Lemma wvr.pred(t) = ( A p : wpred(i )(p) V rpred(i)(p)) 


wpred-wvr: Lemma wpred(*)(p) D wvr_pred(t)(p) 
rpred.wvr: Lemma rpred(i)(p) D wvr.pred (»)( p) 
wpred.ax: Axiom count(wpred(»), N) > N - /' 
wvr.count: Lemma count(wvr.pred(i), A) >N-F 
wpred.correct: Axiom wpred(t)(p) D correct.during (p,<p,f‘ p + ) 
wpred.preceding: Axiom wpred(t + 1 )(p) D wpred(i)(p) V rpred(i)(p) 
wpred-rpred.disjoint: Axiom ->(wpred(t)(p) A rpred(t)(p)) 
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wprecLbridge: Axiom 

wvr.pred(i)(p) A correct-during(p,tJ, + Vp +2 ) 3 wpred(t + 1 )(p) 

wpred.fixtime: Lemma wpred(t)(p) 3 correct-during(p, sj,, t 1 * 1 ) 

wpred.fixtimeJow: Lemma wpred(t')(p) 3 correct.during(p, t' p , sp 

correct.during-trans: Lemma 

correct_during(p, i, t 2 ) A correct-during(p, t 2 , s) 

D correct-during(p, t,s) 

correct_during_sub_left: Lemma 

correct_during(p, t, s) M < t 2 Ai 2 <0 correct-during(p, t, t 2 ) 

correct.during.sub. right: Lemma 

correct-during(p, t, .s) A t < i 2 A t 2 < s 3 correct_during(p,< 2 ,«) 

wpredJoJem: Lemma wpred(i)(p) 3 correct (p,t' p ) 

wpred-hiJem: Lemma wpred(?‘)(p) 3 correct(p, <p +1 ) 

correct-during.hi: Lemma correct.during(p, t, s) D correct(p.s) 

correct-duringJo: Lemma correct_during(p, t, s) D correct (p,t) 

clock-ax: Axiom PC p (pc p (T)) = T 

iclock.defn: Lemma ic p (T) = pc p (T — udj p ) 

iclock-lem: Lemma correct (p,pc p (T - adj p )) D I C p (ic p (T)) = T 

A DJl \ : function [process, event — ► Clocktime] = ( A p, t : adj p +l - adj p ) 

ICIock-ADJJem: Lemma correct(p, <) 3 /C’p +1 (i) = IC p (t) + ADJ p 

iclock_ADJ-lem: Lemma ic p +l (T) = ic p (T - AI)J p ) 

rts_new_l: Axiom correct (p, <p +1 ) 3 S' + a(/?' + 2 * A') < Tp +1 

rts_new-2: Axiom correct(p, t p ) D 7 p < 5* - a(/3' + 2 * A') 

FIXTIM E.bound: Lemma correct(p, tp +1 ) D 5* +1 > + 2 * £*(/?' + 2 * A') 

R.bound: Lemma correct(p, <p +l ) 3 It > 2 * a(/?' + 2 * A') 

RATE-1: Axiom correct-during(p,pc p (7 , ),pCp(5)) A S >T 
Dpc p (S)-pc p (T)<(S-T)*(\+p) 

RATE.2: Axiom correct-during(p,pOp(7’),7>Cp(5’)) A S >T 
3 pc p (S) - pc p (T) > (S — T)/(l + p) 
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RATE.l.iclock: Lemma 

correct.during(;>, tCp(T), iCp(S)) A S >T 

D«i(S)-«i(T)<(S-T)*( 1 + p) 

RATE.2_iclock: Lemma 

correct.during(p, tCp(T), ic p {S)) A 5 > T 
D iCyiS) - ic* p (T ) > (S - T)/(l + p) 

rate-simplify: Lemma S >Td{S- T)/( 1 + p) > (5 - T) * (1 - p) 

rate.simplify-.step: Lemma 5 > 3 0 "E p) * (^ — O * 0 ~ ^ — T 

RATE-2-simplify: Lemma 

correct.during(p, pc p (T), pc p (S)) A S > T 
D V c p(S) - P c p( T ) ^ ( S “ ?’) * ( 1 ~ /*) 

RATE-2-simplifyJclock: Lemma 

correct.during(p, iCp(T), tVp(.9)) A .S > 7 

3 *4(5) - t4(r) > (5 - T) *(!-/») 

RATE.Iemmal: Lemma 

correct_during(p, pc p (T), pc p (S)) 

A correct.during^pr^-O.pc^)) A 5 > T 
D \ P c p (S) - pc q (S) | < |pCp(T) - pe q (T) | + 2 * p * (5 - T) 

RATEJemmalJclock: Lemma 
correct_during(p, i4(T),t4(5)) 

A correct.during(<y, ic q (T), ic' q (S)) A 5 > T 

D 1*4(5) - *4(5)1 < |*4(T) - *4(T)| + 2*p*(S-T) 

RATE_lemma2: Lemma 

correct_during(p,pc p (7 ), ;jCp(5)) A .S > 7 

D |(pc,(5) - 5) - (pc p (T) - T ) | < (>*(1.5 - T|) 

RATE_lemma2 jclock: Lemma 

correct.during(p, iCp(7'), iCp(5)) A S > T 

D 1(4(5) - 5) - (*4(D - T) | < p * (|5 - T|) 

bnd.delay.init: Axiom wpred(())(p) A wpred(0)(r/) D Is® - s°| < /?' 

reading.error3: Axiom 
correct_during(p, Sp4 +1 ) 

A correct.during(f/, ^ +1 ) A 4 - s^| < P' 

d i(0p +1 (</) - * +1 )) - (4 - 4)1 ^ A ' 

ADJJeml: Lemma correct.during(p, s' p , t l + l ) 

D (j4Z)Jp = cfn(]>,( A pi : ©p +1 (/M “ ^(4 +l )))) 

ADJ_lem2: Lemma correct_during(7;,sJ,,/p +1 ) 

D (ADJp = c/n(p,0p +1 ) - 
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t 


read.self: Axiom wpred(i)(;j) D 0J, +1 (7>) = /6’J,(<’ +1 ) 

fix_between_sync: Axiom 

correct_during(;j, t' p , <J, +1 ) D 1' p < s' v A .sj, < ij, +1 

Proof 

FIXTIM E-bound_pr: Prove FIXTIM E_bound from rts.new.l, rts.new_2 {i «— t + 1} 

R_bound_pr: Prove R_bound from FIXTIME.bound, .S’* 1 , 5* 1 {i <—*4*1} 

iclock_defn_pr: Prove iclock.defn from ir*j(*3) 

wpred_fixtime_pr: Prove wpred_fixtime from 
fix_between_sync, 
wpred.correct, 

correct.during_sub_right {s <— , t <— i pt t 2 <— s p ] 

wpred Jixtime_low_pr: Prove wpred.fixtimeJow from 
fix_between_sync, 
wpred.correct, 

correct jduring_subJeft {* i l + l , t +— t l p , t 2 <— 

correct_during_sub_left_pr: Prove correct-during_$ub_left from 
correct^during {s <— t 2 ), correct.during {/ j 

correct_during_sub_right_pr: Prove correct.during.sub. right from 
correct.during {t <— t 2 }, correct.during {t\ t— ty^pl} 

correct-duringJrar>s_pr: Prove correct_during_trans from 
correct.during, 

correct-during {s <— t 2 , t\ <— 
correct.during {t <— t 2t t\ ty@pl} 

wpred.wvr.pr: Prove wpred.wvr from wvr_defn 

rpred_wvr_pr: Prove rpred.wvr from wvr_defn 

wvr_defn_hack: Lemma 

( V p : wvr_pred(i)(;;) = (( A p : wpred (i)(p) V rpred(/)(p))^)) 

wvr_defn_hack-pr: Prove wvr_defn„hack from wvr_pred {p <— p@c } 

wvr-defn_pr: Prove wvr_defn from 
pred.extensionality 

{predl wvr.pred(i), 
pred2 <— ( A p : wpred(i)(/;) V rpred(?')(;)))}, 
wvr_defn_hack {p <— p@pl} 
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wvr.count.pr: Prove wvr.count from 
wpred.ax, 
count.imp 

{ppredl <— wpred(i), 

ppred2 <— ( A p : wpred( »)(/>) V rpred(*)(p)), 
n *- N }, 
wvr.defn, 

imp.pred.or {ppredl <— wpred(t), ppred2 <— rpred(i)} 
w,x,y,z: Var number 

mult.abs.hack: Lemma x *(1 — p) < y A y < x *(1 + p) D \y — z| < P* x 

mult_abs.hack.pr: Prove mult.abs.hack from 
mult.ldistrib {y *- 1, s <— f>), 
mult.ldistrib.minus {y *- 1, z *- (>}, 
mult.rident, 

abs_3-bnd {x *— y, y *— x , z <— p*a:}, 
mult.com {y <— p} 

RATE.l_iclock.pr: Prove RATE.lJclock from 

RATE.l {S «- S - adjp, T *- T - ailj £}, 

iclock.defn, 
iclock.defn {T <— 5} 

RATE_2.ictock.pr: Prove RATE.2.iclock from 
RATE.2 {S *- S - ad#, T T - adj*}, 
iclock.defn, 
iclock.defn {T <— 5} 

RATE-2_simplify.iclock.pr: Prove RATE-2-simplify_iclock from 
RATE.2_simplify { S — S - adj' p , T <— T - adj p }, 

iclock.defn, 
iclock.defn {T S} 

RATE.Iemmaljsym: Lemma 
correct_during(p, pc p {T),i>c v {S)) 

A correct.during(<y,pc 7 (7 l ),pc ? (5’)) A > T A pc p (6) > pc,(5) 

3 | pc p {S) - pc, (5)| < |pc„(7') - pc, (D| + 2 * p * (S - T) 

Rllhack: Lemma w<xhy<z/\y>xD\y — — 

Rllhack.pr: Prove Rllhack from | * l| {x *— y — a:}, | *1| {x *— z — w} 
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RATE Jemmaljsym.pr: Prove RATEJemmal _sym from 
RATE-1, 

RATE_2_simplify {p *— </}, 

Rllhack 

{* «- pc q (S), 

y — pc P (S). 

w*-pC'(T) + (S-r)*(l-p), 

z Pc p (T) + (.S' - 7’)* (1 + p)}, 
muItJdistrib {x «— S — T, y <— 1 , z <— p), 
muItJdistrib-minus {x +— S — T t y <— 1 , z <— p), 
abs-plus {a; 4 - pc p (T) - pc q (T), y *- 2 * p * (5 - T)}, 
mult_com {x <— p, y <— S - T), 
abs_geO {x <— 2 * p * (S — T)}, 
mult_non_neg {x *— p % y *— S — 7’}, 
rhoJ) 

RATE Jemmal-j>r: Prove RATEJemmal from 
RAT E-lemma 1-sym, 

RATEJemmal.jsym {p ^ — r/, q <— p} t 
abs.com {a; 4- pc p (S), y *- pc q {S)}, 
abs.com {a: ♦- pc p (T), y *- J>c q (T)} 

RATE Jemma Uclock-sym: Lemma 
correct_during(/^ *4(7’), *4(5)) 

A correct_during(</, ic q (T), ic q (S)) A 5 > T A *4(5) > *4(5) 

D |*c*(5) - tc*(5)| < |«4(T) - *4(7)1 + 2 *p*{S-T) 

RATEJemmaljclock-sym_pr: Prove RATEJemmalJclock-sym from 
RATE.l Jclock, 

RATE-2_simplifyJclock {/; <— q), 

Rllhack 

{z 4- *4(5), 

V < — ic* ( S) 

w 4- 4 ( 7 ) + (5’-T)*(l -/B). 

~ 4— *4(7’) + (5 - T) * ( 1 +/>)}, 
multjdistrib {x S - T t y <— l r £ <— />}, 
mult Jdistrib_minus {x <— S — T t y <— 1 , £ />}, 

abs-plus {x +- iCp(T) - ic' q (T), y 2 * p + (S - T )}, 
mult-com {x p, y *— S — 7 1 }, 
abs.geO {x 2 * p * (S — 7 1 )}, 
mult-non.neg {x />, 3 / 5 — 7 1 }, 

rho.O 

RATE-lemmal Jclock-pr: Prove RATEJemmalJclock from 
RAT E-lemma lJclock-sym, 

RATEJemmalJclock-sym {p q, q <— 7 ;}, 
abs.com {a; 4 - *4(5), */ 4 - *4(5)}, 
abs.com {x 4 - * 4 ( 7 '), y 4 - *4(7’)} 
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RATE_lemma2_pr: Prove RATE.Iemma2 from 
RATE.l, 

RATE-2-simplify, 

mult_abs_hack {x *— S — T , y *— pc p (S) — pc p (T)} , 
abs.geO {x <— S - T) 

RATEJemma2Jclock.pr: Prove RATE.Iemma2jclock from 
RATEJemma2 {S *— S — a<lj p , T *— T - adj p }, 
iclock.defn {T *— 5'}, 
iclock.defn 

wpred JoJem.pr: Prove wpred.lo.lem from 
wpred. correct, 

correct.during {s <— f}, +1 , t *- t p , h fp} 

wpred.hi.lem.pr: Prove wpred.hi.lem from 
wpred.correct, 

correct.during {5 <— <p +1 , f fp> ^1 *p + M 

correct_during_hi_pr: Prove correct.during.hi from correct.during {*i <- s} 

correct.during Jo.pr: Prove correct.during.lo from correct.during {ti *- i } 

mult.assoc: Lemma x * (y * 2 ) = (x * y) * z 

mult.assoc.pr: Prove mult.assoc from 
★1 **2 {y <- y*z}, 

★1 ★ *2 , 

*1 * *2 {x *- y, y *- z}, 

★1 * *2 {x *— x * y, y <— 2 } 

difF-squares: Lemma (l+p)*(l-/>) = l — P* P 

diff.squares.pr: Prove diff_squares from 
distrib {x <— 1, y «— p, z \ - p), 
mult.lident {x «— 1 — />}, 
mult.ldistrib.minus {x «— p, y *— 1, z *— p], 
mult.rident {x «- p) 

rate.simplify.step.pr: Prove rate.simplify.step from 
mult.com {x <— ( S — T), y (1 — />)}r 
mult.assoc {x *— 1 + p, y +— 1 — P< z S — / } , 
diff-squares, 

distrib.minus {x *— 1 , y *— p* p, z <— S -T}, 

mult.lident {x <— S — T), 

pos. product {x *—/>★/), y *— S — T}, 

pos.product {x «— p, y *— />}, 

rho.O 
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rate_si mplify_pr : Prove rate_simplify from 
div.ineq 

{z *— (1 + p), 

y (S ~ T), 

div.cancel {x <— (1 + p), l I *— {S — T) * (l — p )}, 
rho.O, 

rate.simplify.step 

RATE-2.simplify.pr: Prove RATE-2-simplify from RATE.2, rate_simplify 

iclock-lem.pr: Prove icIockJem from 

iclock_defn, ICIock.defn {/. — clock - ax i T T ~ ad i'r>) 

ICIock_ADJJem_pr: Prove ICIock_ADJ_lem from 
ICIock.defn, ICIock.defn {»«—*- f 1), ADJ*^ 

iclock_ADJ.lem.pr: Prove iclock.ADJ.lem from 

iclock.defn {T *— T — ADJ p }, iclock.defn {i *— i + 1}, ADJ*^ 

ADJ.Ieml_pr: Prove ADJ.Ieml from 
ADJ.Iem2, 

translation.invariance {A' < IC p (t' p +x ), 7 <— 0J, +1 } 

ADJ_lem2_pr: Prove ADJ_lem2 from 

ADrJf , 

adfJl {i *- i+l), 

ICIock.defn {£ <— l'+ l , »<—*}• 
correct.during.hi {< s p , & <— <p +1 } 

End delay 
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delay 2 : Module 

Using arith, clockassumptions, delay 
Exporting all with clockassumptions, delay 


Theory 

^ar P rocess 
i: Var event 

delay.pred: function [event -+ bool] = 

( A i : ( Vp, q : wpred(i)(p) A wpred(r)(g) 3 | a p - s q I < P )) 

ADJ.pred: function [event -+ bool] = . ... , „ 

(Ai:(Vp:»>lA wpred(t - 1 )(p) 3 \ADJp \ < <x(P + * ))) 

delay.pred.lr: Lemma 

delay.pred(t) 3 (wpred(i)(p) A wpred(r)(r/) 3 |s p s,,| < P ) 
bnd.delay. offset: Theorem ADJ_pred(i) A delay.pred(t) 
bnd.delay.offset.O: Lemma ADJ.pred(O) A delay.pred(0) 

bnd_delay.offset.ind: Lemma 

ADJ-pred(i) A delay.pred(i) 3 ADJ.pred(r + 1) A delay.pred(t + 1) 

bnd.delay.offset-ind.a: Lemma delay.pred(i) 3 ADJ.pred(i + 1) 

bnd delay _offset-ind_b: Lemma 

delay _pred(i) A ADJ.pred(i +1)3 delay_pred(t + 1) 

good.ReadClock: Lemma al n 

8 delay-pred(t) A wpred(*)(p) 3 okay.Readpred(0 + ,/3 + 2 * A ,wpred(t)) 

delay.prec.enh: Lemma 

delay _pred(t) A wpred(*)(/>) A wpred(i)(</) 

3 |(4 -a‘)“ (ADJp - ADJ' q )\ < tt(2* A +2,(3 +2* A) 

del ay-.prec-.enh .step 1: Lemma 

delay.pred(i) A wpred(t)(?>) A wpr*d(i)(fl) 

3 (A „ : (+'()'.) - I?, «+ ) - WV f 

_ A/>i : Oy +1 (j>i) - ) f A J))l 

< 7r(2 * A' + 2, ft' + 2 * A') 

delay_prec.enh_stepl.sym: Lemma , 

delay.pred (i) A wpred(t)(p) A wpred(i)(</) A “ s p - 

3 |(A£>4 - 4) - - 4)1 

< |cMp,(Apx:0* +, (in)-/C'*(4 +1 )- L4J)) . 

- Aw : 0^ +1 (P») - /W 1 ) " Kl))l 
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prec.enh.hypl: Lemma 

delay _pred(i) A wpred(i)(p) A wpred(i)(</) 

D okay_pairs(( X p\ : Q' p +l (pi) - IC' p {t'+ l ) - |^J), 

(Ap,:e;+»o.,)-/ci(i;+*)-r-;l), 

2 * A' + 2, 
wpred(i)) 

prec_enh_hyp_2: Lemma 
delay_pred(i) A wpred(/‘)(;;) 

D okay.Readpred(( X p, : 0' +1 ( Pl ) - /q,(/’+ l ) - [,s‘ j), 
ft’ + 2 * A', 
wpred(i)) 

prec_enh_hyp_3: Lemma 
delay_pred(?’) A wpred(/)(ry) 

D okay_Readpred(( Xp t : 0j +, ( P i) - - fijl)* 

/?' + 2* A', 

wpred(i)) 

Proof 

delay_predJr_pr: Prove delay_pred_lr from delay.pred 

delay.prec-enh_stepl_pr: Prove delay_prec_enh_stepl from 
precision.enhancement.ax 
{ppred <— wpred(i), 

»<-/*' + 2 * A', 
x <- 2 * A' + 2, 

7-(A Pl :0«+ 1 ( Pl )-/6 1 '(<«+ l )-L4J)- 

®-(A Pl :0*+ i ( P ,)-/c’'(ii+ i )-r«‘i)}. 

prec,enh_hypl, 

prec_enh^hyp^2 l 

prec_enh_hyp_3, 

wpred_ax 

prec_enh_hyp_2_pr: Prove prec_enh_hyp_2 from 
good.ReadClock, 
okay_Readpred 

{7-(A Pl :0‘ +1 ( Pl )-/C‘( /•■+')- KJ), 
y *- ft* + 2* A', 
ppred «— wpred(i)}, 
okay.Readpred 

{7 - ©p +l . 
y *- ft' + 2* A', 
ppred «— wpred(i). 

/ <— l@p2, 

m *— m@p2} 
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prec_enh.hyp.3_pr: Prove prec.enh.hyp.3 from 
good.ReadClock {]> *— </}. 
okay_Readpred 

{7 -(A Pl :0i +1 (pi)-/c , i(<; +1 )-Kl). 
y «- 13' + 2 * A', 
ppred 4- wpred(i)}. 

okay_Readpred 

y «- /3' + 2 * A', 

ppred «— wpred(t), 

l «- Z@/>2, 

bnd.deLoff.O-pr: Prove bnd.delay.offset.O from 
ADJ-pred {i <— 0}, 
delay.pred {t <— 0}, 

bnd.delay.init {}> *- jMp2, <l «— <t®p'2} 

bnd.delay_offset.ind.pr: Prove bnd.delay.ofTset.ind from 
bnd.delay.offset.ind.a, bnd.delay .offset -ind_b 

bnd delay.offset.pr: Prove bnd.delay.offset from 

induction {prop < — (At: ADJ.pred(i) A delay-pred(t))}. 

bnd.delay.offset.O, 

bnd.delay.offset.ind {< ♦— j®pl) 

a,b,c,d,c,f,g,h : Var number 

abs.hack: Lemma |a — b\ 

<\e- f | + |(« - c ) ~ (d- e)| + \{b - c) - (d- f)\ 

abs.hack.pr: Prove abs.hack from 
abs.com {x *- f , y *— <}> 
abs.com {x (d — f), 2/ r )}- 

abs.plus 

y ^ ((« _ c ) - (d - <■)) + ((d-f)~ (b - 0)}. 

abs.plus {x «- ((« - c) - (d - e)). V - ((<* - /) ~ ' 

abshack2: Lemma |a| < fr A |c| < d A M < d D |«| + M 
abshack2.pr: Prove abshack2 


c))} 

|e| < 6 + 2*d 
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good.ReadClock.pr: Prove good.ReadClock from 
okay.Readpred 

{7 <— 0p +1 , 

y *- P* + 2 * A', 

ppred +- wpred(i)}, 
delay _pred {p «— l@]> 1, q m^pl), 
delay.pred {q 4— /@pl}, 
delay_pred {q 4— m@pl), 
reading_error3 {q <— l&p 1}, 
reading_error3 {q 4— 
abs-hack 

b r- Q*+ l (m®pl) t 

d 4- s' p , 
e • 

/ i } » 
abshack2 

{a 4 — c@/j7 — f®p7, 

c 4— ((a@y/7 — r@;;7 ) — (d@p7 - e@p7)), 
d <- A', 

e <- ((i>@/>7 - c@;;7) - (r/@;;7 - /@/>7))}, 
wpred.fixtime, 
wpred.fixtime {p 4— l@pl} t 
wpred.fixtime {p <— m@pl) 

bnd.deLoff_ind.a_pr: Prove bnd.delay.offset.ind.a from 
ADJ.pred {i 4— i + 1}, 

ADJ_lem2 {p 4— p@p 1} F 
accuracy.preservation.ax 
{ppred 4— wpred(t), 

' U p®pl* 

P 4— p%;l f 

ry 4— y>@;>l ( 

x 4-/3' + 2* A'}, 
wpred.ax, 
read_self {p 4— 

good.ReadClock {p 4— pUp [ } f 
wpred.fixtime {;; 4— I } 

abshack4: Lemma a - b > c — d 

D\(a-b)-{c-d)\<\(a-[b\)-{c-\d\)\ 

floor.hack: Lemma a — \b\ > a — b 

floor.hack.pr: Prove floor.hack from floor.defn {x 4— b} 
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ceil-hack: Lemma c - d> c - \d] 

ceiLhack.pr: Prove ceil-hack from ceil.defn {x - d) 


abshack4_pr: 
abs-geO {x 
abs.geO {a: 
floor -hack, 
ceil-hack 


Prove abshack4 from 

f- (a-fc)-(c-ti)}. 

«— (a — |AI) ~ ( c ~ M))' 


X: Var Clocktime 

ADJ-hack: Lemma wpred(<)(p) • j+h vVk 

3 ADJ' V - X = cfn{p, ( A p\ : 0J, + (l>\) “ ic p ( 1 p ) ‘ ^ 

ADJ.hack-pr: Prove ADJ-hack from 
ADJ-leml, 

translation-invariance , - - +n , 

|-y <_ ( A pi — ► Clocktime : 0 p + ( 7 aj ) - IC p {t p )). 

X - -X). 

wprecLfixtime 

delay-prec-enh-stepl-sym-pr: Prove delay.prec.enh.stepl-sym from 

ADJ-hack {A r <— L-^pJ}. 

ADJ-hack {p +~ <1> X *— ^^1 } > 

abshack4 { a *- ADJ l p , b *- 4 , c «- ADJ' q , d «- «*,} 

abshack5: Lemma |((a - b) - (L C J - d)) - ((e - f) - (Tf/1 “ d ))\ 

< |(a - b) - (LcJ - <01 + ~ f)~ (fol “ A 

abshack5-pr: Prove abshack5 from 

abs.com {ar «- e - /, V - fol " A , r _ . m 

abs.plus {x «- (a - b) - (W - A V - (fol " ^ ~ < e “ 

absfloor: Lemma | a - [&J| < \ a ~ b \ + 1 

absceil: Lemma |a - \b] \ < |« - b\ + 1 

absfloor.pr: Prove absfloor from 

floor.defn {x - b), \ * 1| {x - « - lA!)- I * n ~ b t 


absceil.pr: Prove absceil from 
ceil.defn {x *-&}.!* t| { a: 


a-\b}}, | * 11 {* «-«-&} 


abshackba: Lemma |(« - b) - ([c\ - d)\ < |(a -b)-(c-d)\ + l 
abshack6b: Lemma |(c - f) - i\o] ~ A ^ K e _ /) “ (0 ~ A + 1 
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abshack 6 a_pr: Prove abshack 6 a from 
absfloor {a (a — 6 ) + d, b <— c}, 
abs_plus {x <r- (a — b) — (c — d), y <— 1 }, 
abs_geO { x ^ — 1 } 

abshack 6 b_pr: Prove abshack 6 b from 
absceil {a <— (e — f) + d, b g) t 
abs.plus {x <- (e - /) - (g - d) t y 1 ), 
abs_geO {x +— 1 } 

abshack7: Lemma \(a — b) — (c — r/)| < h A |(e — /) — (g — d)\ < h 

D | ((a - b ) - ( |r| - rf)) - ((. - /) - ( ff/1 - d )) | < 2 * (h + 1) 

abshack7_pr: Prove abshack7 from abshackS, abshack 6 a, abshack 6 b 

prec_enfuhypl_pr: Prove prec_enh_hypl from 
okay.pairs 

{7^(Api:0j+Up,)-/6**(«j+')-L4J). 

0^(X Pl :0' +l (p l )-^*(4+ , )-r<l), 

x *— 2* (A' + 1 ), 
ppred i— wpred(i)}, 
delay.pred {q *— p,j 0 pl}, 
delay.pred {p <— q, q <— p; t @pl}, 
reading_error3 {q <— ;; 3 @pl}, 
reading.error3 {p <— q, q <— RjSpl}, 
abshack7 

{« <- 0 J, + 1 (y^@pl), 

relit?'), 
c *- 4- 
d - VpI' 

e «- 0‘ +1 (/>3@pl), 

/ - IC' q (t‘+'), 

<J *- *>' q , 
h - A'}, 
wpred_fixtime, 
wpredJixtime {p <— (j), 
wpred.fixtime {p 4 — ;; a @pl} 

abshack3: Lemma |(a - b) - (c - r/)| = \(c - a) - (d — 6)| 

abshack3_pr: Prove abshack3 from abs.com {x <— a — b, y *— c — d} 
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delay_prec.enh.pr: Prove delay.prec.enh from 
delay.prec-enh-Stepl, 

delay-prec-enh_stepl {p </. 4 1 } }> 

delay-prec_enh_stepl-sym, 
delay.prec-enh.stepl.sym {;> <- q, <7 «- p}>. 

abs.com {x <— ADJ' p - -»p. V ADJ q — 
abshack3 {a 4 . b 4* c ^ ADJ r <l 

End delay2 
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delay3: Module 

Using arith, clockassumptions, delay2 
Exporting all with clockassumptions, delay2 
Theory 

P,<1 , Var process 
i: Var event 
T : Var Clocktime 

good-interval: function[process, event, Clocktime — + bool] = 

(\p,i,T : (correct_during(p, .sj,, ic'+ x (T)) A T - ADJ' p > S') 

V (correct.during(p, ic*+ l (T), .sp A S' > T - y\DJ p )) 

recovery_lemma: Axiom 

delay_pred(i) A ADJ_pred(i + 1) 

A rpred(i)(p) A correct_during(p, t'* 2 ) A wpred(t + 1)(</) 

d i4 +i - S '+ x \ < s' 

good-interval Jem: Lemma 

wpred(/)(p) A wpred(i + !)(/>) A ADJ-pred(i + 1) D goodJnterval(j>, i, 5 I+1 ) 
betaprime.ax: Axiom 

2 */>*(/£ + a(/3* + 2 * A')) + ir( 2 * (A' + 1),/?' + 2 * A') < /?' 

R.OJem: Lemma wpred(i)(?>) A ADJ_pred(i + 1) D 7£ > 0 

bound-future: Lemma 

delay_pred(i) A ADJ_pred(i + 1) 

A wpred(z)(/j) 

A wpred( i)(r/) A good_interval(/^ i, T) A goodJnterval(g, t, T) 
D|ic‘ +1 (r)-»c*+ 1 (T)| 

<2*p*(\T-S‘\ + a {ft' + 2 * A')) + tt(2 * (A' + 1),/?' + 2 * A') 
bound.futurel: Lemma 

delay _pred(i) A ADJ_pred( t + 1) A wpred(t)(p) A good _interval(p, t, T) 

D |( KCF - AD .}') - .s') - (T - ad.j; - .S’* ) | 

< p* (\T - .9‘| + <*(/?' + 2* A')) 

bound.futurel_step: Lemma 

delay.pred(i) A ADJ-pred(i + l) A wpred(*)(p) A good .interval(p, i, T) 

D | (ic*(T - ADJ^) - 4) - (7’ - ADj; - .S'*)| < p*(\T - - 5*|) 

bound.FIXTIME: Lemma 

delay _pred(i) A ADJ_pred(i + 1) 

A wpred(i)(/;) 

A wpred 

A goodJnterval(/>, /, S l + l ) A good _interval(r/, t, 5 ,+1 ) 

^ I4 +1 - 4 +l l £ F 
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bound.FIXTIME2: Lemma 

delay.pred(i) A ADJ- P red(i + 1) A wpred(t)(p) A wpred( )( 9 ) 

3 (wpred(r + 1 )(p) A wpred(i + 1 )(<?) 3 IV s i I - ^ ) 

delay-offset: Lemma wpred(i)(p) A wpred(i)(f/) 3 I*,, - S J ^ P 

ADJ-bound: Lemma wpred(i)(p) 3 \ADJ ' p | < <*{($' + 2 * A ) 

Alpha-0: Lemma wpred (t)(p) 3 a (P' + 2 * - 0 


Proof 

delay.offset-pr: Prove delay-offset from bnd.delay.offset, delay.pred 

ADJ bound.pr: Prove ADJ-bound from 

bnd-delay.offset {t - *'+!}. ADJ-pred {* - i + 1} 


nub^cudf. Var number 

abs_0: Lemma |«i| < 3 &i > 0 

abs.O.pr: Prove abs_0 from | *]| {.r — «i} 


Alpha.O-pr: Prove Alpha-0 from 
ADJ_bound, abs-0 {«i *— ADJp, b\ 


+ 2 * A')} 


R.O-hack: Lemma wpred(*)(p) A ADJ.pred(t +1)3 S ,+ S > 0 


R-O-hack-pr: Prove R-O.hack from 
ADJ-pred {*«—*+ 1}. 

FIXTIME-bound, 

wprecLhiJem, 

abs-0 {ai +- ADJp, i>i <- a(/J' + 2 * A')} 

R OJem-pr: Prove R_0_lem from R-O-hack, S , S {i *— i + 1} 

abshack-future: Lemma |(«i - In) - (ci - r/j)| = l(«i “ c ») ~ ~ 

abshack-future-pr: Prove abshack-future 

abs.minus: Lemma |«i - M < |«i| + l&tl 

abs-minus-pr: Prove abs_minus from 

|*1| {x «- «i - b i}, | * 1| {* «- «i }• I* 1 ! bl ) 
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bound.futurel.pr: Prove bound.futurel from 
bound.futurel.step, 

abs.minus {ai *— T — S', &i *— ADJp}, 

ADJ.pred {i <— i + 1}, 
mult.leq.2 
{z <- p, 

y *— \T — ADJp — S‘|, 
x *-\T — .9' | + ol(P' + 2 * A')}, 
rho_0 

bound_futurel_step_a: Lemma 

correct.during - ADJ A S' >T- ADjj, 

D \{ic' p {T - ADJ' V ) - 4 ) -(T- ADJ' p - S‘)| < p*(\T - ADJ' p - S i |) 

bound_futurel_step_b: Lemma 

correct.during(p, s ' p , ic' p (T - A DJ' p )) A T - ADJp > S' 

D I(i4(r - ADJ'p) - 4) - (T - ADJ ; - S*)l < P*i\T - ADJ' V - S>|) 

bound.futurel.step.a.pr: Prove bound_futurel.step.a from 

RATE Jemma2Jclock {T *— T — ADJp, S <— 5’}, 

s*? 

**1 » 

abshack.future 

{a, <- ityT - ADJ'), 
b l «- 4> 

Cl +-T- ADJ'p, 

di - 5*}. 

abs.com {x <— ai@/>3 — Ci@/>3, y *— bi@p2 — </x@p3}, 
abs.com {x <— T@pl, y *— A’@pl} 

bound.futurel.step.b_pr: Prove bound_futurel_step.b from 
RATE_lemma2_iclock {.5 *— T — ADJp, T <— ,9*}, 

c*2 
S *1 - 

abshack.future 

{«, - i(j p {T - ADJ'p), 

b\ *- 4- 

c, «- T - ADJ'p, 

di - 5'} 

bound.futurel.step.pr: Prove bound.futurel.step from 

good.interval, bound.futurel.step.a, bound_futurel_step_b, iclock_ADJ.Iem 
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goodJntervalJem_pr: Prove good-intervalJem from 
good-interval {T <— 5 ,+1 }» 

5 *i {* * + O' 

wpred-fixtime, 

wpred.fixtimeJow {*«-* + !}. 

correct-during_trans {t *— * s |, > t'l tp~ > s *■/> }> 

wpred_hi Jem, 

FIXTIME-bound, 

ADJ-pred {i *— i + 1}> 

l * i | {*- adj;) 

bound_FIXTIME2_pr: Prove bound-FIXTIME2 from 

bound.FIXTIME, good.intervaLlem, good-intervalJem {p *- q) 

bound-FIXTIME-pr: Prove bound-FIXTIME from 
bound-future {T *— A' <+1 }, 

S* 1 , 

.S’* 1 {i - i + 1}, 
abs-geO {a: «— 11} , 

R-OJem, 

s*i {P P®pl’ * ♦“ * + 1 }• 

{p *— q@p l. *<—*’+ 1}» 

betaprime.ax 

bnd.delay-offset-ind-b-pr: Prove bnd-delay_offset_ind.b from 

bound.FIXTIME2 {p - p@p2, q - r/%/2}, 

delay.pred {i *— i + i}, 

delay.pred {/j ♦— }Mp2, q <— r/(<.6//2 } , 

recovery-lemma {p *— p@p2, q <— q^p2}, 

recovery-lemma {?> <— q@p2, q <— p@p2), 

abs.com {x <— ^@*,>2' y «- 

wpred.preceding {p ♦— 

wpred.preceding {p <— 

wpred-correct {i *— t -F 1, p * p@p2} , 

wpred.correct {t *— t + 1< P q®p2} 

6, c, </, e,f,(j,li, aa, bb: Var number 

abshack: Lemma | a — 6| 

< |(« — e) - (c — / - r/)| + |(6 - U ) ~ ( r _ h ~ *01 

+ \(e-g)-(f-h)\ 

abshack2: Lemma |(a - <) - (c - / - <01 < aa 

A |(6 - 5) - (c - h ~ d ) I < aa A |(c - </) - (/ - h ) | < bb 

D |« - 6| < 2 * aa + bb 
abshack2.pr: Prove abshack2 from abshack 
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abshack.pr: Prove abshack from 

abs_.com {.r <— b — y, y *— c — h - d}, 

abs_plus {x *— (a — e) — (c — f — d), y *- (c - h - d) - (b - g)}, 
abs.plus {.t <— xA$p2 + y®P 2, y <— (c — g) — (f - h)} 

bound.future-pr: Prove bound-future from 
bound-futurel, 
bound_futurel {p *- q), 
delay-prec.enh, 
iclock-ADJ-lem, 
iclock_ADJ-lem {p *— </}, 
abshack2 

{a ic^T - ADJj,), 
b «— ic} q {T - ADJ*), 
c - T. 
d - S\ 

/ - adj;, 

<J *- 

h <- Aur v 

aa *- p* (\T - 5‘| + a(/3' + 2 * A')), 
bb v- ir(2* (A' + ]),/^' + 2* A')} 

End delay3 
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delay4: Module 

Using arith, dockassumptions, delay 3 
Exporting all with dockassumptions, delay3 


Theory 

p,q,pu<n- Var P rocess 

i: Var event 

X, S,T: Var Clocktime 

s,t,h,t 2 : Var time 

7: Var function[process -*• Clocktime] 

ppred, ppredl: Var function[process -♦ bool] 

optionl,option2: bool 

optionUalg: Axiom optionl 3 T* 1 =(i+l)*R + T° 
option2_alg: Axiom option2 3 7’,] +1 = (1 + 1) * R + T - ADJ p 
options-disjoint: Axiom -.(optionl A option2) 


optionl-bounded.delay: Lemma 

optionl A (ft = 2 * p * ( R (S° - 
3 |4 +1 - t' q +l I < ft 


T 0 )) + ft') A wpred(t)(p) A wpred(i)(?) 


option2_bounded-delay: Lemma 
option2 A (ft — ft' - * P * (S° 

3|<p + 1 ~^ +1 l ^ 


T 0 )) A wpred(i)(p) A wpred(i)(g) 


option2_convert Jemma: Lemma. 

(ft = ft'-2 *p*(S°-T®)) 

D 2 * p* ((it - (£“ ~ ? )) + + 2 * A ^ 

+ 7t(2 * (A' + 1 ),ft' + ^ * ^0 

</? 


option2-good.interval: Lemma 

option 2 A wpred(t)(p) 3 good_interval(p, *, (* + 


1 )* R. + T°) 


R_FIX_SYNC-0: Axiom R - (S° - T°) > 0 


Proof 
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optionl.bounded.delay.pr: Prove optionl.bounded. delay from 
RATE JemmalJclock {5 <— (t + 1) * R + T°, T <— S 1 }, 

S* 1 , 


delay_off$et, 
wpred.fixtime, 
wpred.fixtime {p 


synctime.defn, 


synctime.defn { p 


s 

s 


★2 

*1 

★2 

★1 


\p 


9 >. 


option l_alg, 


optionl.alg {p «— 
R_FIX_SYI\IC_0 






</}. 


option2.goodJnterval.pr: Prove option2_good .interval from 
good-interval {T *- 7j +l + 4/A/j}, 
wpred.fixtime, 
wpred.hLIem, 
rts.new.l, 

icIock.ADJJem {T 4- TQpl}, 
synctime.defn, 

Alpha.O, 

option2.alg 

option2_convert.lemma.pr: Prove option2_convert_lemma from 
betaprime.ax, 
mult Jdist rib.minus 
{x — p, 

y R + a(/3' + 2 * A'), 
z «- (5° - T 0 )} 

option2.bounded.delay.pr: Prove option2_bounded.delay from 
option2.convert Jemma, 
option2_good_interval, 
option2.good.interval {p «— q} t 
bound.future {T *- (i + 1) * R + T 0 }, 
option2.alg, 
option2_alg {p <?}, 
icIock.ADJJem {T T@p4}, 
iclock.ADJ.lem {T <— T@p4, p +— q }, 
synctime.defn, 
synctime.defn {p <— </}, 

5* 1 , 

R.O.Iem, 
bnd.delay.ofFset, 
bnd.delay.ofFset {i i + 1}, 
abs.geO {x <-(R-(S°-T 0 ))}, 

R.FIX.SYNC.0 
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End delay4 
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